View
215
Download
0
Tags:
Embed Size (px)
Citation preview
Constructivist Information Security Awareness
M.Boujettif (Italtel, [email protected]) & Y.Wang (UCCC)
BWCCA 2010
Fukuoka Institute of Technology, Fukuoka, Japan
Abstract
The application a unique approach to enhancing information security awareness amongst employees, in effort to improve information security
Surveyed the current attitudes and awareness levels of 116 employees in 30 companies towards information security
2 companies opted to implement our new approach (CISA) based on a highly-employee centred constructivist method
The CISA approach aims to benefit the employees at
different levels as it effects and encourages employee learning autonomy
Constructivist Information Security Awareness (CISA)
CISA encourages CIO’s and end users to improve their awareness regarding risks associated with utilising ICT
CISA builds a conscious awareness of ones own
attitude. This is deemed important in improving information security
Attitudes play an important role in information security behaviour
We confirm a positive correlation between poor/negative attitudes and low levels of information security
Introduction
Interviewed CIO’s;
We established their current information security levels and Conducted questionnaires to determine the employees’ attitudes
Compared the results for any suspected correlations
2 companies’ chosen which were established as having poor information security and whose employees exhibited negative and/or poor information security attitudes:
We introduced them to our unique information security programme (CISA) based on constructive methods
Research Questions Research's main questions:
Correlation between information security levels & attitudes towards information security?
Usefulness of constructivist training methodologies to improve information security awareness?
Expected - Companies had security awareness campaigns but do they measure the effects of such campaigns on the employees’ attitudes and behaviour?
How do we know that the campaigns are working? Do the campaigns really improve users’ attitudes and behaviour
towards information security?
Results were used to establish effective security campaigns based on constructivist approach
What is this approach? Individualised, user-centred free learning environment where users are in
control of their own learning process Investigation has never been applied in the context of information security, IT
security (even telecom security), and this makes this project unique
Human Element
Information Security : Traditionally conjures up images of complexity (HW & SW) – Only implementable by a professional security firms!
Previous researchers, like Stanton et al (2003), Schneier (2000), and Katsikas (2000) have warned that
“it’s not only the technical software or hardware aspects that introduce vulnerabilities into an information system, rather it’s the users of the system which pose the greatest and most serious information security risk.”
The human element needs to be dealt with first and foremost! Stephanou & Dagada (2008)
Procedures/ Policies are implemented to encourage people (Administrators/ Users/ Operators) how to use products to ensure information security within the organizations
Importance of Human Element
Natural question: How do we deal with or influence the human aspect?
Rules/Threats; Punishment maybe? Fine?
Imprisonment? Loss of Job? Information! Training! Education!
Training & education in a subject – Better track record of effecting the perceptions/ attitudes towards that subject
Environment and pedagogy (methods of training) have a lot to do with the individuals’ perception (Ann, Timothy and Laubach [2001])
Changing or improving perceptions/attitudes towards something is rather challenging – Why?
Avoiding? Moving Away? – Bad Perceptions & Feelings!
Exemplified in the fields of academia/training where peoples’ dislike of challenging subjects (such as Science and Mathematics)
An effective ISA Programme needs to seek to influence and improve the users’ education training, and guide their understanding of IS concepts
Middle Eastern Companies
Home grown Middle-Eastern companies pay little attention to ISA:
Never existed Little understood / appreciated
Ambiguous and ineffective policies towards information security are due to:
Genuine lack of awareness Blasé attitude by both senior
management and senior security professionals
Campaigns were basic (warnings via email/ posters)
Increasing the appreciation of ISA programmes was done by ensuring the development of effective employee centred programmes:
Entails imparting of knowledge whether in a training format or in a more academic format
Information presented in a manner that is designed to change unfavourable perceptions and attitudes to desirable ones
Attitudes & Perceptions
What are perception and attitudes?
Attitudes govern a person’s personality beliefs, values, and motivations
Three components: 1) Affect (feeling), 2) Cognition (thought or
belief) 3) behaviour (an action)
Individuals even try to employing interesting tactics in an attempt to reduce dissonance (conflict)
Eliminating his/her responsibility or control over an act or decision
Denying, distorting, or “selectively” forgetting information
Minimizing the importance of the issue, decision, or act
Develop an ISA programme that reduces the cognitive dissonance (conflict)
Attitude formation: a result of learning, modelling others, direct experiences with people and situations
Attitudes have different strengths, and are learned or influenced through experience and they can be changed!
The method of measuring/assessing attitude via how strongly one agrees or disagrees (like or dislike) with a statement and ticking a 1–5 scale
Constructivism
Anything that may cause a sense of failure and/or negative feelings – Complexity is one of them
Attitude change occurs – addressing cognitive and emotional components via new information
Employing methods utilised in
pedagogical circles. Have track record of yielding positive results
One proven method in making positive changes to ones attitude and perceptions; Constructivist methodology
“...commitment to the idea that the development of understanding requires active engagement on the part of the learner.”
Naylor and Keogh (1999)
“...principles of this approach ... learners can only make sense of new situations in terms of their existing understanding. Learning involves an active process ... learners construct meaning by linking new ideas with their existing knowledge.”
Active learning approaches were found to be beneficial and positive in improving academic achievement,/ attitude and concept learning(Anzai & Simon [1979], Maria & Rosetta [2005])
CISA Programme
Our CISA Programme entails:
Elements of transfer of knowledge
Conducive environment of learning
Material is learner-friendly/learner-centric
Little or no instruction or explanation
Encourages active and engaging environment with virtual independence in learning
CISA approach allow users to develop information security material and activities that would contain their own terminology and explanations which they themselves construct and understand
Avoids passive learning
Move towards active and interactive learning
Learners relate information security to their daily lives and how it affects them and their colleagues
The material: information security warnings, posters, emails and policies can sometimes be daunting and unwieldy therefore allow participants to feel more ownership in gaining a deeper understanding. Guaranteed since they constructed the material that they comprehend and understand
Method and Realisation
Sample size: 240 individuals, only 116 responded accurately and concisely
30 CIO’s interviewed Survey attitudes and perceptions
Questionpro (2007) University of Florida IT Security
Awareness (2009) TCET (1997)
Results were validated for consistence and disparate answers were removed leaving only consistent data outcomes
Single case-study with a questionnaire administered in two companies (sample ISA material)
Sample Size
No ResponseRespondedCIO
Results: Information Security Awareness ISA
Respondents indicate shocking low level of information security awareness for example their internet and email usage behaviours:
Rather concerning results - Real lack of training ISA needs
Current ISA programmes are ineffective and have profound consequences on information security
No backup of work files
Simple pass-word structure
Without latest updates
0%10%20%30%40%50%60%70%80%90%
100%
ISA Awareness
Not Aware of Viruses etc
Vulnerable to attack
Never used firewalls
Ignorant of Phishing
57%
58%
59%
60%
61%
62%
63%
64%
65%
66%
Results: Employees’ ISA
Information Security policies, procedures were little understood and rarely recognised or appreciated;
Concerning situation: witnessed in the majority of KSA companies give us a reasonable microcosm of the possible state of information security awareness in and around the Middle East
Secur
ity D
ept
Secur
ity P
olicie
s
Term
IS
Secur
ity P
roce
dure
s
ISA S
pecia
list
ISA M
ater
ial N
ever
Pub
lishe
d
Secur
ity In
fo B
y W
ord
of M
outh
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Levels of ISA
Results: Respondents’ Attitudes
Respondents’ Attitudes: Respondents’ attitudes towards interactive learning as indicated by the respondents were positive:
Activities that may motivate the learning of new concepts were ones which required challenging, creating and Inventing activities as indicated by the results:
Challe
nges
Inve
stiga
ting
Inte
ract
ive L
earn
ing
PC Bas
ed A
ctivi
ties
PC Ove
r Rea
ding
0%
20%
40%
60%
80%
100%
Attitudes To Learning
Uniqueness Doing Inventing Groups
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Learning New Concepts
Results: Learning Environment
When faced with a learning environment which either meant learning by oneself or in a team with colleagues the following results were garnered:
In terms of the importance for there being an enjoying and fun environment:
Lear
ning
From
Oth
ers
Discus
sion
Gre
gario
us
With
Coll
eagu
es
Compe
titive
0%
20%
40%
60%
80%
100%
Learning Environment
Enjoyable Atm. Challenging Problems
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Results: Learning Preferences
Respondents’ attitudes towards their thinking styles may indicate their preferences on how they approach challenges in learning etc.:
Apply
Lear
nt
New W
ays
Futur
e O
rient
ated
Exam
ine N
ew
Differe
nt S
olutio
ns
0%10%20%30%40%50%60%70%80%90%
100%
Preferences
Respondents’ attitudes towards visual stimuli were quite conclusive and were recorded as follows:
TV Over Book
TV Over Writing
TV Over PC
0%10%20%30%40%50%60%70%80%90%
100%
Visual
Constructivist ISA: Task 1
Employees requested to construct an email message in 45 minutes (after CIO scrutiny)
Access to resources (internet, written material on IS etc) requested to examine and identify important ISA aspects which needed to be transmitted in the email that they created. Requested to make it creative and funny. To encourage more fun, kinaesthetic
Focus on convergent and divergent thinking by encouraging and balancing fact (actual ISA information) and feasibility (funny cartoon), and striking equilibrium between structure and flexibility
Remarkable features: Vocal and visible expressions of happiness and jubilation
from the groups were experienced Excited and animated on returning their created
group effort email Happy and cheerful for completing the task
Constructivist ISA : Task 2,3,4,5...
Sample Task 2: Videoed Presentation : Produce a 2 minute videoed presentation similar to a youtube.com
Sample Task 3: Quiz Creation: Produce an ISA quiz written around a geometric shape that would be cut converted into a 3D shape e.g. a cube. displayed on their desk
Sample Task 4: Poster Creation: Importance of Backup
Sample Task 5: For and Against Discussion : Chose an ISA concept from set cards then instructed to think up arguments for and against later asked to defend the concept
Sample Task 6: Approximations : Employees requested to guess as accurately as possible the volume capacity of two vessels (e.g. a cup and testtube) representing ISA statistics
Evaluation Our survey shows that 91% preferred the
CISA constructivist approached (App. 2)
Traditional methods of disseminating and delivering ISA programmes maybe ineffective
Negative effect on the intrinsic motivation/ attitude in learning ISA concepts
Employees preferred to develop and construct their own material interactively
CIO’s should consider adopting constructivist methodologies to improve ISA awareness
Employees’ attitudes had transformed when CISA was implemented
Employees wanted freedom from the confines of formal passive learning (in keeping with previous research findings)
Case Study Results
Approach 2Approach 1
CONCLUSIONS Employees can be blamed for traditional ISA paradigm as they tend to expect experts
to transfer the knowledge to them
Learners construct their own knowledge - interaction with environment
At the heart of CISA approach: Employees must understand Information Security but also develop thinking skills (analysis, reasoning, problem solving) otherwise they gain only a superficial attitude and awareness towards ISA
Security experts should employ constructivist methods
This study made use of constructivist methods to enhance employee awareness of information security ideas and concepts through the interactive collaboration of employees in playing a more centric role developing and enthusing the company ISA program with interactive and enjoyable activities
There was a perceived improvement in information security awareness. The significant findings and results of this study were;
91% of the employees in the case-study preferred the new approach (Constructivist ISA) as opposed to traditional programs
94% of the employees surveyed were dissatisfied with their companies’ current information security programs
Thank You